Casey Deccio built the Web-based tool, DNSViz, as a way for network administrators implementing DNSSEC to be sure they are deploying it correctly. The tool serves up a visual analysis for the user of the DNSSEC authentication chain for a domain and its path to the DNS.
Deccio came up with the idea for the tool after noticing that federal agencies were struggling to properly deploy DNSSEC. “DNSSEC is hard to configure correctly and has to undergo regular maintenance,” he said. “It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren’t fully compatible, it keeps users from accessing .gov sites. They just get error responses.”
DNSSEC has been gradually rolling out across the Internet during the past year or so. Several major top-level domains, in addition to .gov -- including .com, .org, and .net -- are now DNSSEC-enabled. Now it’s up to the individual organizations under those top-level domains to move to the protocol. DNSSEC basically prevents attackers from redirecting users to malicious websites by redirecting them; it ensures DNS entries remain unchanged in transit and are digitally signed to ensure their authenticity.
The online tool analyzes the DNS zone's status, and finds any DNSSEC configuration errors.
Deccio plans to add alerts and APIs to the tool so that network administrators can integrate it with other tools besides via the Web. He plans to keep it as an open-source project and evolve it into a scalable monitoring system.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.